Expose loadBalancerSourceRanges for Service

[alexbasista]

Summary

This PR adds support for configuring loadBalancerSourceRanges on the TFE Kubernetes Service resources. This allows users to explicitly restrict which source CIDR ranges can access TFE endpoints when using service.type: LoadBalancer.

Background

Kubernetes cloud controllers (GKE, EKS, AKS) typically create provider-managed firewall rules or security group rules to allow ingress traffic for Service resources of type LoadBalancer. By default, if loadBalancerSourceRanges is not set, these rules commonly allow 0.0.0.0/0 (verified on GKE).

gcloud compute firewall-rules describe <k8s2-fw-rule-name> \
  --format='yaml(name,network,direction,priority,sourceRanges,targetTags,allowed)'

allowed:
- IPProtocol: tcp
  ports:
  - '443'
  - '8446'
direction: INGRESS
name: <k8s2-fw-rule-name>
network: https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/global/networks/<tfe-vpc-name>
priority: 1000
sourceRanges:
- 0.0.0.0/0
targetTags:
- gke-<gke-cluster-name>-########-node

New Helm values

service:
  loadBalancerSourceRanges: []

serviceSecondary:
  loadBalancerSourceRanges: []

Example usage

service:
  type: LoadBalancer
  loadBalancerSourceRanges:
    - 203.0.113.10/32
    - 10.0.0.0/8

Testing

• Templates properly rendered via helm template
• GKE-managed firewall rules updated to match CIDRs accordingly after helm upgrade

gcloud compute firewall-rules describe <k8s2-fw-rule-name> \
  --format='yaml(name,network,direction,priority,sourceRanges,targetTags,allowed)'
allowed:
- IPProtocol: tcp
  ports:
  - '443'
  - '8446'
direction: INGRESS
name: <k8s2-fw-rule-name>
network: https://www.googleapis.com/compute/v1/projects/<PROJECT_ID>/global/networks/<tfe-vpc-name>
priority: 1000
sourceRanges:
- 203.0.113.10/32
- 10.0.0.0/8
targetTags:
- gke-<gke-cluster-name>-########-node